Router ACL on SVI; Inbound or Outbound?

Just a little note for SVI Access-List (or Cisco calls it Router ACL on SVI).
Three routers configured as below.

! R1

int f0/0
 ip addr 12.12.12.1 255.255.255.0
 no shut

router ospf 1
 net 0.0.0.0 0.0.0.0 a 0
 
! R2
int vlan 100
 ip addr 12.12.12.2 255.255.255.0
 
int f1/0
 switchport mode access
 switchport access vlan 100
int f0/0
 ip addr 23.23.23.2 255.255.255.0

router ospf 1
 net 0.0.0.0 0.0.0.0 a 0

! R3

int f0/0
 ip addr 23.23.23.3 255.255.255.0
 no shut

router ospf 1
 net 0.0.0.0 0.0.0.0 a 0
 
ip http server

I’m testing the Access-list on SVI and testing it by ICMP and HTTP from R1 (12.12.12.1) to R3 (23.23.23.3) and check the matches on the ACL. I’m expecting that the HTTP access will be denied and ICMP will be allowed.

The direction of the access-list and the SVI (inbound or outbound) tested as below.

! R2
Extended IP access list ACL
    10 deny tcp host 12.12.12.1 host 23.23.23.3 eq www
    20 permit ip any any (1 match)

int vlan 100
 ip access-group ACL out
 
! RESULT. ICMP and HTTP access are both OK

! R2
Extended IP access list ACL
    10 deny tcp host 23.23.23.3 eq www host 12.12.12.1 
    20 permit ip any any (5 matches)

int vlan 100
 ip access-group ACL in

! RESULT. ICMP and HTTP access are both OK

! R2
Extended IP access list ACL
    10 deny tcp host 23.23.23.3 eq www host 12.12.12.1 (6 matches)
    20 permit ip any any 

interface Vlan100
 ip access-group ACL out

! RESULT. ICMP OK, HTTP access is opened then timed-out.
! R2
Extended IP access list ACL
    10 deny tcp host 12.12.12.1 host 23.23.23.3 eq www (3 matches)
    20 permit ip any any 

interface Vlan100
 ip access-group ACL in

! RESULT. ICMP OK, HTTP access is UNREACHABLE 

Summary. The rule of thumb for the direction of the ACL on SVI above are:

ACL always have the form of , while the direction of the ACL int SVI works as below:

  • If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN100 access ports.”
  • If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN100″

As much as it’s confusing as it can be, I prefer to use VLAN ACCESS-MAP.

Leave a Reply